Red Hat OpenStack Platform 16.1
Configuration Reference
Configuring Red Hat OpenStack Platform environments
Last Updated: 2021-03-30
Red Hat OpenStack Platform 16.1 Configuration Reference
Configuring Red Hat OpenStack Platform environments
OpenStack Documentation [email protected]
OpenStack [email protected]
Legal Notice
Copyright © 2021 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative CommonsAttribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA isavailable athttp://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you mustprovide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United Statesand other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United Statesand/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union andother countries.
Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by theofficial Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marksor trademarks/service marks of the OpenStack Foundation, in the United States and othercountries and are used with the OpenStack Foundation's permission. We are not affiliated with,endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Abstract
This document is for system administrators who want to look up configuration options. It containslists of configuration options available with OpenStack and uses auto-generation to generateoptions and the descriptions from the code for each project.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents
PREFACE
MAKING OPEN SOURCE MORE INCLUSIVE
PROVIDING FEEDBACK ON RED HAT DOCUMENTATION
CHAPTER 1. BARBICAN1.1. BARBICAN.CONF
1.1.1. DEFAULT1.1.2. certificate1.1.3. certificate_event1.1.4. cors1.1.5. crypto1.1.6. dogtag_plugin1.1.7. keystone_authtoken1.1.8. keystone_notifications1.1.9. kmip_plugin1.1.10. oslo_messaging_amqp1.1.11. oslo_messaging_kafka1.1.12. oslo_messaging_notifications1.1.13. oslo_messaging_rabbit1.1.14. oslo_middleware1.1.15. oslo_policy1.1.16. p11_crypto_plugin1.1.17. queue1.1.18. quotas1.1.19. retry_scheduler1.1.20. secretstore1.1.21. simple_crypto_plugin1.1.22. snakeoil_ca_plugin1.1.23. ssl
CHAPTER 2. CINDER2.1. CINDER.CONF
2.1.1. DEFAULT2.1.2. backend2.1.3. backend_defaults2.1.4. barbican2.1.5. brcd_fabric_example2.1.6. cisco_fabric_example2.1.7. coordination2.1.8. cors2.1.9. database2.1.10. fc-zone-manager2.1.11. healthcheck2.1.12. key_manager2.1.13. keystone_authtoken2.1.14. nova2.1.15. oslo_concurrency2.1.16. oslo_messaging_amqp2.1.17. oslo_messaging_kafka2.1.18. oslo_messaging_notifications
10
11
12
131313
20202021222226272730313234343537373838393939
414141
6969
106107108109109110111
112113114117118119122123
Table of Contents
1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.19. oslo_messaging_rabbit2.1.20. oslo_middleware2.1.21. oslo_policy2.1.22. oslo_reports2.1.23. oslo_versionedobjects2.1.24. privsep2.1.25. profiler2.1.26. sample_castellan_source2.1.27. sample_remote_file_source2.1.28. service_user2.1.29. ssl2.1.30. vault
CHAPTER 3. GLANCE3.1. GLANCE-API.CONF
3.1.1. DEFAULT3.1.2. cinder3.1.3. cors3.1.4. database3.1.5. file3.1.6. glance.store.http.store3.1.7. glance.store.rbd.store3.1.8. glance.store.sheepdog.store3.1.9. glance.store.swift.store3.1.10. glance.store.vmware_datastore.store3.1.11. glance_store3.1.12. image_format3.1.13. keystone_authtoken3.1.14. oslo_concurrency3.1.15. oslo_messaging_amqp3.1.16. oslo_messaging_kafka3.1.17. oslo_messaging_notifications3.1.18. oslo_messaging_rabbit3.1.19. oslo_middleware3.1.20. oslo_policy3.1.21. paste_deploy3.1.22. profiler3.1.23. store_type_location_strategy3.1.24. task3.1.25. taskflow_executor
3.2. GLANCE-SCRUBBER.CONF3.2.1. DEFAULT3.2.2. database3.2.3. glance_store3.2.4. oslo_concurrency3.2.5. oslo_policy
3.3. GLANCE-CACHE.CONF3.3.1. DEFAULT3.3.2. glance_store3.3.3. oslo_policy
CHAPTER 4. HEAT4.1. HEAT.CONF
124126126127128128129131132132134134
136136136179187188190193195198
200215219258259262262266267267269270271
273276277279281281
303305344345346346373
411
413413
Red Hat OpenStack Platform 16.1 Configuration Reference
2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.1.1. DEFAULT4.1.2. auth_password4.1.3. clients4.1.4. clients_aodh4.1.5. clients_barbican4.1.6. clients_cinder4.1.7. clients_designate4.1.8. clients_glance4.1.9. clients_heat4.1.10. clients_keystone4.1.11. clients_magnum4.1.12. clients_manila4.1.13. clients_mistral4.1.14. clients_monasca4.1.15. clients_neutron4.1.16. clients_nova4.1.17. clients_octavia4.1.18. clients_sahara4.1.19. clients_senlin4.1.20. clients_swift4.1.21. clients_trove4.1.22. clients_zaqar4.1.23. cors4.1.24. database4.1.25. ec2authtoken4.1.26. eventlet_opts4.1.27. healthcheck4.1.28. heat_api4.1.29. heat_api_cfn4.1.30. heat_api_cloudwatch4.1.31. keystone_authtoken4.1.32. noauth4.1.33. oslo_messaging_amqp4.1.34. oslo_messaging_kafka4.1.35. oslo_messaging_notifications4.1.36. oslo_messaging_rabbit4.1.37. oslo_middleware4.1.38. oslo_policy4.1.39. paste_deploy4.1.40. profiler4.1.41. revision4.1.42. ssl4.1.43. trustee4.1.44. volumes
CHAPTER 5. IRONIC5.1. IRONIC.CONF
5.1.1. DEFAULT5.1.2. agent5.1.3. ansible5.1.4. api5.1.5. audit5.1.6. cinder
413423423424424425425426426427427428428429429430430431431
432432433433434436436437437438439440443443446448448450451452452455455456457
458458458472474476477478
Table of Contents
3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.7. conductor5.1.8. console5.1.9. cors5.1.10. database5.1.11. deploy5.1.12. dhcp5.1.13. disk_partitioner5.1.14. disk_utils5.1.15. drac5.1.16. glance5.1.17. healthcheck5.1.18. ilo5.1.19. inspector5.1.20. ipmi5.1.21. irmc5.1.22. ironic_lib5.1.23. iscsi5.1.24. json_rpc5.1.25. keystone_authtoken5.1.26. mdns5.1.27. metrics5.1.28. metrics_statsd5.1.29. neutron5.1.30. nova5.1.31. oslo_concurrency5.1.32. oslo_messaging_amqp5.1.33. oslo_messaging_kafka5.1.34. oslo_messaging_notifications5.1.35. oslo_messaging_rabbit5.1.36. oslo_middleware5.1.37. oslo_policy5.1.38. profiler5.1.39. pxe5.1.40. service_catalog5.1.41. snmp5.1.42. ssl5.1.43. swift5.1.44. xclarity
CHAPTER 6. IRONIC-INSPECTOR6.1. INSPECTOR.CONF
6.1.1. DEFAULT6.1.2. capabilities6.1.3. coordination6.1.4. cors6.1.5. database6.1.6. discovery6.1.7. dnsmasq_pxe_filter6.1.8. iptables6.1.9. ironic6.1.10. keystone_authtoken6.1.11. oslo_policy6.1.12. pci_devices
481485486486488490490491491
492496497498501
502504504505507510510511512516519519523524524526527528530533535536536539
540540540544545545546548548548549552555556
Red Hat OpenStack Platform 16.1 Configuration Reference
4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.1.13. processing6.1.14. pxe_filter6.1.15. service_catalog6.1.16. swift
CHAPTER 7. KEYSTONE7.1. KEYSTONE.CONF
7.1.1. DEFAULT7.1.2. application_credential7.1.3. assignment7.1.4. auth7.1.5. cache7.1.6. catalog7.1.7. cors7.1.8. credential7.1.9. database7.1.10. domain_config7.1.11. endpoint_filter7.1.12. endpoint_policy7.1.13. eventlet_server7.1.14. federation7.1.15. fernet_receipts7.1.16. fernet_tokens7.1.17. healthcheck7.1.18. identity7.1.19. identity_mapping7.1.20. jwt_tokens7.1.21. ldap7.1.22. memcache7.1.23. oauth17.1.24. oslo_messaging_amqp7.1.25. oslo_messaging_kafka7.1.26. oslo_messaging_notifications7.1.27. oslo_messaging_rabbit7.1.28. oslo_middleware7.1.29. oslo_policy7.1.30. policy7.1.31. profiler7.1.32. receipt7.1.33. resource7.1.34. revoke7.1.35. role7.1.36. saml7.1.37. security_compliance7.1.38. shadow_users7.1.39. token7.1.40. tokenless_auth7.1.41. totp7.1.42. trust7.1.43. unified_limit7.1.44. wsgi
CHAPTER 8. NEUTRON
556558558561
565565565571571
572573575575576577579579580580581582583584585587588589595595596599600601
603603604605607608609610610612614615616617617618619
620
Table of Contents
5
8.1. DHCP_AGENT.INI8.1.1. DEFAULT8.1.2. agent8.1.3. ovs
8.2. L3_AGENT.INI8.2.1. DEFAULT8.2.2. agent8.2.3. network_log8.2.4. ovs
8.3. LINUXBRIDGE_AGENT.INI8.3.1. DEFAULT8.3.2. agent8.3.3. linux_bridge8.3.4. network_log8.3.5. securitygroup8.3.6. vxlan
8.4. METADATA_AGENT.INI8.4.1. DEFAULT8.4.2. agent8.4.3. cache
8.5. METERING_AGENT.INI8.5.1. DEFAULT8.5.2. agent8.5.3. ovs
8.6. ML2_CONF.INI8.6.1. DEFAULT8.6.2. ml28.6.3. ml2_type_flat8.6.4. ml2_type_geneve8.6.5. ml2_type_gre8.6.6. ml2_type_vlan8.6.7. ml2_type_vxlan8.6.8. ovs_driver8.6.9. securitygroup8.6.10. sriov_driver
8.7. NEUTRON.CONF8.7.1. DEFAULT8.7.2. agent8.7.3. cors8.7.4. database8.7.5. ironic8.7.6. keystone_authtoken8.7.7. nova8.7.8. oslo_concurrency8.7.9. oslo_messaging_amqp8.7.10. oslo_messaging_kafka8.7.11. oslo_messaging_notifications8.7.12. oslo_messaging_rabbit8.7.13. oslo_middleware8.7.14. oslo_policy8.7.15. privsep8.7.16. quotas8.7.17. ssl
620620625626626627633634634635635639639640640641
642642647647649649653654655655659660660661661661
662662663663663674676677679680683685685689690690692693694694695
Red Hat OpenStack Platform 16.1 Configuration Reference
6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.8. OPENVSWITCH_AGENT.INI8.8.1. DEFAULT8.8.2. agent8.8.3. network_log8.8.4. ovs8.8.5. securitygroup8.8.6. xenapi
8.9. SRIOV_AGENT.INI8.9.1. DEFAULT8.9.2. agent8.9.3. sriov_nic
CHAPTER 9. NOVA9.1. NOVA.CONF
9.1.1. DEFAULT9.1.2. api9.1.3. api_database9.1.4. barbican9.1.5. cache9.1.6. cinder9.1.7. compute9.1.8. conductor9.1.9. console9.1.10. consoleauth9.1.11. cors9.1.12. database9.1.13. devices9.1.14. ephemeral_storage_encryption9.1.15. filter_scheduler9.1.16. glance9.1.17. guestfs9.1.18. healthcheck9.1.19. hyperv9.1.20. ironic9.1.21. key_manager9.1.22. keystone9.1.23. keystone_authtoken9.1.24. libvirt9.1.25. metrics9.1.26. mks9.1.27. neutron9.1.28. notifications9.1.29. osapi_v219.1.30. oslo_concurrency9.1.31. oslo_messaging_amqp9.1.32. oslo_messaging_kafka9.1.33. oslo_messaging_notifications9.1.34. oslo_messaging_rabbit9.1.35. oslo_middleware9.1.36. oslo_policy9.1.37. pci9.1.38. placement9.1.39. powervm
696696700701701
704704705705709709
711711711
774782783784786789794795795795796798798799812816817817825828829831
834863866867872873873874877878879881881
882885888
Table of Contents
7
9.1.40. privsep9.1.41. profiler9.1.42. quota9.1.43. rdp9.1.44. remote_debug9.1.45. scheduler9.1.46. serial_console9.1.47. service_user9.1.48. spice9.1.49. upgrade_levels9.1.50. vault9.1.51. vendordata_dynamic_auth9.1.52. vmware9.1.53. vnc9.1.54. workarounds9.1.55. wsgi9.1.56. xenserver9.1.57. xvp9.1.58. zvm
888889891
897899900904906908
911914915917921
926934938947947
Red Hat OpenStack Platform 16.1 Configuration Reference
8
Table of Contents
9
PREFACEThis document describes the options available in the configuration files for each of the major services inRed Hat OpenStack Platform. The content is automatically generated based on the values in theconfiguration files themselves, and is provided for reference purposes only.
WARNING
Manually editing configuration files is not supported. All configuration changesmust be made through the Director. Red Hat provides this guide as a technicalreference only.
Red Hat OpenStack Platform 16.1 Configuration Reference
10
MAKING OPEN SOURCE MORE INCLUSIVERed Hat is committed to replacing problematic language in our code, documentation, and webproperties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of theenormity of this endeavor, these changes will be implemented gradually over several upcoming releases.For more details, see our CTO Chris Wright’s message .
MAKING OPEN SOURCE MORE INCLUSIVE
11
https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language
PROVIDING FEEDBACK ON RED HAT DOCUMENTATIONWe appreciate your input on our documentation. Tell us how we can make it better.
Using the Direct Documentation Feedback (DDF) function
Use the Add Feedback DDF function for direct comments on specific sentences, paragraphs, or codeblocks.
1. View the documentation in the Multi-page HTML format.
2. Ensure that you see the Feedback button in the upper right corner of the document.
3. Highlight the part of text that you want to comment on.
4. Click Add Feedback.
5. Complete the Add Feedback field with your comments.
6. Optional: Add your email address so that the documentation team can contact you forclarification on your issue.
7. Click Submit.
Red Hat OpenStack Platform 16.1 Configuration Reference
12
CHAPTER 1. BARBICANThe following chapter contains information about the configuration options in the barbican service.
1.1. BARBICAN.CONF
This section contains options for the /etc/barbican/barbican.conf file.
1.1.1. DEFAULT
The following table outlines the options available under the [DEFAULT] group in the /etc/barbican/barbican.conf file.
.
Configuration option =Default value
Type Description
admin_role = admin string value Role used to identify an authenticated user asadministrator.
allow_anonymous_access = False
boolean value Allow unauthenticated users to access the API withread-only privileges. This only applies when usingContextMiddleware.
api_paste_config = api-paste.ini
string value File name for the paste.deploy config for api service
backdoor_port = None string value Enable eventlet backdoor. Acceptable values are 0,, and :, where 0 results in listeningon a random tcp port number; results inlistening on the specified port number (and notenabling backdoor if that port is in use); and : results in listening on the smallest unused portnumber within the specified range of port numbers.The chosen port is displayed in the service’s log file.
backdoor_socket = None string value Enable eventlet backdoor, using the provided path asa unix socket that can receive connections. Thisoption is mutually exclusive with backdoor_port inthat only one should be provided. If both areprovided then the existence of this option overridesthe usage of that option. Inside the path {pid} will bereplaced with the PID of the current process.
client_socket_timeout = 900
integer value Timeout for client connections' socket operations. Ifan incoming connection is idle for this number ofseconds it will be closed. A value of 0 means waitforever.
conn_pool_min_size = 2 integer value The pool size limit for connections expiration policy
CHAPTER 1. BARBICAN
13
conn_pool_ttl = 1200 integer value The time-to-live in sec of idle connections in the pool
control_exchange = openstack
string value The default exchange under which topics are scoped.May be overridden by an exchange name specified inthe transport_url option.
db_auto_create = True boolean value Create the Barbican database on service startup.
debug = False boolean value If set to true, the logging level will be set to DEBUGinstead of the default INFO level.
default_limit_paging = 10 integer value Default page size for the limit paging URL parameter.
default_log_levels = ['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']
list value List of package logging levels in logger=LEVEL pairs.This option is ignored if log_config_append is set.
executor_thread_pool_size = 64
integer value Size of executor thread pool when executor isthreading or eventlet.
fatal_deprecations = False
boolean value Enables or disables fatal status of deprecations.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
14
host_href = http://localhost:9311
string value Host name, for use in HATEOAS-style referencesNote: Typically this would be the load balancedendpoint that clients would use to communicate backwith this service. If a deployment wants to derive hostfrom wsgi request instead then make this blank. Blankis needed to override default config value which ishttp://localhost:9311
`instance_format = [instance:%(uuid)s] `
string value The format for an instance that is passed with the logmessage.
`instance_uuid_format =[instance: %(uuid)s] `
string value The format for an instance UUID that is passed withthe log message.
log-config-append = None string value The name of a logging configuration file. This file isappended to any existing logging configuration files.For details about logging configuration files, see thePython logging module documentation. Note thatwhen logging configuration files are used then alllogging configuration is set in the configuration fileand other logging configuration options are ignored(for example, log-date-format).
log-date-format = %Y-%m-%d %H:%M:%S
string value Defines the format string for %%(asctime)s in logrecords. Default: %(default)s . This option is ignoredif log_config_append is set.
log-dir = None string value (Optional) The base directory used for relativelog_file paths. This option is ignored iflog_config_append is set.
log-file = None string value (Optional) Name of log file to send logging outputto. If no default is set, logging will go to stderr asdefined by use_stderr. This option is ignored iflog_config_append is set.
log_rotate_interval = 1 integer value The amount of time before the log files are rotated.This option is ignored unless log_rotation_type issetto "interval".
log_rotate_interval_type = days
string value Rotation interval type. The time of the last filechange (or the time when the service was started) isused when scheduling the next rotation.
log_rotation_type = none string value Log rotation type.
Configuration option =Default value
Type Description
CHAPTER 1. BARBICAN
15
http://localhost:9311
logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
string value Format string to use for log messages with context.Used by oslo_log.formatters.ContextFormatter
logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
string value Additional data to append to log message whenlogging level for the message is DEBUG. Used byoslo_log.formatters.ContextFormatter
logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
string value Format string to use for log messages when contextis undefined. Used byoslo_log.formatters.ContextFormatter
logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
string value Prefix each line of exception output with this format.Used by oslo_log.formatters.ContextFormatter
logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
string value Defines the format string for %(user_identity)s that isused in logging_context_format_string. Used byoslo_log.formatters.ContextFormatter
max_allowed_request_size_in_bytes = 15000
integer value Maximum allowed http request size against thebarbican-api.
max_allowed_secret_in_bytes = 10000
integer value Maximum allowed secret size in bytes.
max_header_line = 16384 integer value Maximum line size of message headers to beaccepted. max_header_line may need to beincreased when using large tokens (typically thosegenerated when keystone is configured to use PKItokens with big service catalogs).
max_limit_paging = 100 integer value Maximum page size for the limit paging URLparameter.
max_logfile_count = 30 integer value Maximum number of rotated log files.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
16
max_logfile_size_mb = 200
integer value Log file maximum size in MB. This option is ignored if"log_rotation_type" is not set to "size".
publish_errors = False boolean value Enables or disables publication of error events.
rate_limit_burst = 0 integer value Maximum number of logged messages perrate_limit_interval.
rate_limit_except_level = CRITICAL
string value Log level name used by rate limiting: CRITICAL,ERROR, INFO, WARNING, DEBUG or empty string.Logs with level greater or equal torate_limit_except_level are not filtered. An emptystring means that all levels are filtered.
rate_limit_interval = 0 integer value Interval, number of seconds, of log rate limiting.
rpc_conn_pool_size = 30 integer value Size of RPC connection pool.
rpc_response_timeout = 60
integer value Seconds to wait for a response from a call.
run_external_periodic_tasks = True
boolean value Some periodic tasks can be run in a separate process.Should we run them here?
sql_connection = sqlite:///barbican.sqlite
string value SQLAlchemy connection string for the referenceimplementation registry server. Any validSQLAlchemy connection string is fine. See:http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine.Note: For absolute addresses, use //// slashes aftersqlite:.
sql_idle_timeout = 3600 integer value Period in seconds after which SQLAlchemy shouldreestablish its connection to the database. MySQLuses a default wait_timeout of 8 hours, after whichit will drop idle connections. This can result in MySQLGone Away exceptions. If you notice this, you canlower this value to ensure that SQLAlchemyreconnects before MySQL can drop the connection.
sql_max_retries = 60 integer value Maximum number of database connection retriesduring startup. Set to -1 to specify an infinite retrycount.
Configuration option =Default value
Type Description
CHAPTER 1. BARBICAN
17
http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
sql_pool_class = QueuePool
string value Accepts a class imported from the sqlalchemy.poolmodule, and handles the details of building the poolfor you. If commented out, SQLAlchemy will selectbased on the database dialect. Other options areQueuePool (for SQLAlchemy-managedconnections) and NullPool (to disabled SQLAlchemymanagement of connections). Seehttp://docs.sqlalchemy.org/en/latest/core/pooling.html for more details
sql_pool_logging = False boolean value Show SQLAlchemy pool-related debugging outputin logs (sets DEBUG log level output) if specified.
sql_pool_max_overflow = 10
integer value The maximum overflow size of the pool used bySQLAlchemy. When the number of checked-outconnections reaches the size set in sql_pool_size,additional connections will be returned up to thislimit. It follows then that the total number ofsimultaneous connections the pool will allow issql_pool_size + sql_pool_max_overflow. Can be set to-1 to indicate no overflow limit, so no limit will beplaced on the total number of concurrentconnections. Comment out to allow SQLAlchemy toselect the default.
sql_pool_size = 5 integer value Size of pool used by SQLAlchemy. This is the largestnumber of connections that will be kept persistentlyin the pool. Can be set to 0 to indicate no size limit.To disable pooling, use a NullPool with sql_pool_classinstead. Comment out to allow SQLAlchemy toselect the default.
sql_retry_interval = 1 integer value Interval between retries of opening a SQLconnection.
syslog-log-facility = LOG_USER
string value Syslog facility to receive log lines. This option isignored if log_config_append is set.
tcp_keepidle = 600 integer value Sets the value of TCP_KEEPIDLE in seconds for eachserver socket. Not supported on OS X.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
18
http://docs.sqlalchemy.org/en/latest/core/pooling.html
transport_url = rabbit:// string value The network address and optional user credentials forconnecting to the messaging backend, in URLformat. The expected format is:
driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query
Example:rabbit://rabbitmq:[email protected]:5672//
For full details on the fields in the URL see thedocumentation of oslo_messaging.TransportURL athttps://docs.openstack.org/oslo.messaging/latest/reference/transport.html
use-journal = False boolean value Enable journald for logging. If running in a systemdenvironment you may wish to enable journal support.Doing so will use the journal native protocol whichincludes structured metadata in addition to logmessages.This option is ignored if log_config_appendis set.
use-json = False boolean value Use JSON formatting for logging. This option isignored if log_config_append is set.
use-syslog = False boolean value Use syslog for logging. Existing syslog format isDEPRECATED and will be changed later to honorRFC5424. This option is ignored iflog_config_append is set.
use_eventlog = False boolean value Log output to Windows Event Log.
use_stderr = False boolean value Log output to standard error. This option is ignored iflog_config_append is set.
watch-log-file = False boolean value Uses logging handler designed to watch file system.When log file is moved or removed this handler willopen a new log file with specified pathinstantaneously. It makes sense only if log_file optionis specified and Linux platform is used. This option isignored if log_config_append is set.
wsgi_default_pool_size = 100
integer value Size of the pool of greenthreads used by wsgi
wsgi_keep_alive = True boolean value If False, closes the client socket connection explicitly.
Configuration option =Default value
Type Description
CHAPTER 1. BARBICAN
19
https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f
string value A python format string that is used as the templateto generate log lines. The following values canbeformatted into it: client_ip, date_time, request_line,status_code, body_length, wall_seconds.
Configuration option =Default value
Type Description
1.1.2. certificate
The following table outlines the options available under the [certificate] group in the /etc/barbican/barbican.conf file.
Table 1.1. certificate
Configuration option =Default value
Type Description
enabled_certificate_plugins = ['simple_certificate']
multi valued List of certificate plugins to load.
namespace = barbican.certificate.plugin
string value Extension namespace to search for plugins.
1.1.3. certificate_event
The following table outlines the options available under the [certificate_event] group in the /etc/barbican/barbican.conf file.
Table 1.2. certificate_event
Configuration option =Default value
Type Description
enabled_certificate_event_plugins = ['simple_certificate_event']
multi valued List of certificate plugins to load.
namespace = barbican.certificate.event.plugin
string value Extension namespace to search for eventing plugins.
1.1.4. cors
The following table outlines the options available under the [cors] group in the /etc/barbican/barbican.conf file.
Red Hat OpenStack Platform 16.1 Configuration Reference
20
Table 1.3. cors
Configuration option =Default value
Type Description
allow_credentials = True boolean value Indicate that the actual request can include usercredentials
allow_headers = ['X-Auth-Token', 'X-Openstack-Request-Id', 'X-Project-Id', 'X-Identity-Status', 'X-User-Id', 'X-Storage-Token', 'X-Domain-Id', 'X-User-Domain-Id', 'X-Project-Domain-Id', 'X-Roles']
list value Indicate which header field names may be usedduring the actual request.
allow_methods = ['GET', 'PUT', 'POST', 'DELETE', 'PATCH']
list value Indicate which methods can be used during theactual request.
allowed_origin = None list value Indicate whether this resource may be shared withthe domain received in the requests "origin" header.Format: "://[:]", no trailingslash. Example: https://horizon.example.com
expose_headers = ['X-Auth-Token', 'X-Openstack-Request-Id', 'X-Project-Id', 'X-Identity-Status', 'X-User-Id', 'X-Storage-Token', 'X-Domain-Id', 'X-User-Domain-Id', 'X-Project-Domain-Id', 'X-Roles']
list value Indicate which headers are safe to expose to the API.Defaults to HTTP Simple Headers.
max_age = 3600 integer value Maximum cache age of CORS preflight requests.
1.1.5. crypto
The following table outlines the options available under the [crypto] group in the /etc/barbican/barbican.conf file.
Table 1.4. crypto
Configuration option =Default value
Type Description
enabled_crypto_plugins = ['simple_crypto']
multi valued List of crypto plugins to load.
CHAPTER 1. BARBICAN
21
https://horizon.example.com
namespace = barbican.crypto.plugin
string value Extension namespace to search for plugins.
Configuration option =Default value
Type Description
1.1.6. dogtag_plugin
The following table outlines the options available under the [dogtag_plugin] group in the /etc/barbican/barbican.conf file.
Table 1.5. dogtag_plugin
Configuration option =Default value
Type Description
auto_approved_profiles = caServerCert
string value List of automatically approved enrollment profiles
ca_expiration_time = 1 string value Time in days for CA entries to expire
dogtag_host = localhost string value Hostname for the Dogtag instance
dogtag_port = 8443 port value Port for the Dogtag instance
nss_db_path = /etc/barbican/alias
string value Path to the NSS certificate database
nss_password = None string value Password for the NSS certificate databases
pem_path = /etc/barbican/kra_admin_cert.pem
string value Path to PEM file for authentication
plugin_name = Dogtag KRA
string value User friendly plugin name
plugin_working_dir = /etc/barbican/dogtag
string value Working directory for Dogtag plugin
retries = 3 integer value Retries when storing or generating secrets
simple_cmc_profile = caOtherCert
string value Profile for simple CMC requests
1.1.7. keystone_authtoken
The following table outlines the options available under the [keystone_authtoken] group in the
Red Hat OpenStack Platform 16.1 Configuration Reference
22
The following table outlines the options available under the [keystone_authtoken] group in the /etc/barbican/barbican.conf file.
Table 1.6. keystone_authtoken
Configuration option =Default value
Type Description
auth_section = None string value Config Section from which to load plugin specificoptions
auth_type = None string value Authentication type to load
auth_uri = None string value (DEPRECATED FOR REMOVAL) Complete "public"Identity API endpoint. This endpoint should not be an"admin" endpoint, as it should be accessible by all endusers. Unauthenticated clients are redirected to thisendpoint to authenticate. Although this endpointshould ideally be unversioned, client support in thewild varies. If you’re using a versioned v2 endpointhere, then this should not be the same endpoint theservice user utilizes for validating tokens, becausenormal end users may not be able to reach thatendpoint. This option is deprecated in favor ofwww_authenticate_uri and will be removed in the Srelease.
auth_version = None string value API version of the Identity API endpoint.
cache = None string value Request environment key where the Swift cacheobject is stored. When auth_token middleware isdeployed with a Swift cache, use this option to havethe middleware share a caching backend with swift.Otherwise, use the memcached_servers optioninstead.
cafile = None string value A PEM encoded Certificate Authority to use whenverifying HTTPs connections. Defaults to systemCAs.
certfile = None string value Required if identity server requires client certificate
delay_auth_decision = False
boolean value Do not handle authorization requests within themiddleware, but delegate the authorization decisionto downstream WSGI components.
CHAPTER 1. BARBICAN
23
enforce_token_bind = permissive
string value Used to control the use and type of token binding.Can be set to: "disabled" to not check token binding."permissive" (default) to validate binding informationif the bind type is of a form known to the server andignore it if not. "strict" like "permissive" but if the bindtype is unknown the token will be rejected. "required"any form of token binding is needed to be allowed.Finally the name of a binding method that must bepresent in tokens.
http_connect_timeout = None
integer value Request timeout value for communicating withIdentity API server.
http_request_max_retries = 3
integer value How many times are we trying to reconnect whencommunicating with Identity API Server.
include_service_catalog = True
boolean value (Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask forservice catalog on token validation and will not setthe X-Service-Catalog header.
insecure = False boolean value Verify HTTPS connections.
interface = admin string value Interface to use for the Identity API endpoint. Validvalues are "public", "internal" or "admin"(default).
keyfile = None string value Required if identity server requires client certificate
memcache_pool_conn_get_timeout = 10
integer value (Optional) Number of seconds that an operation willwait to get a memcached client connection from thepool.
memcache_pool_dead_retry = 300
integer value (Optional) Number of seconds memcached server isconsidered dead before it is tried again.
memcache_pool_maxsize = 10
integer value (Optional) Maximum total number of openconnections to every memcached server.
memcache_pool_socket_timeout = 3
integer value (Optional) Socket timeout in seconds forcommunicating with a memcached server.
memcache_pool_unused_timeout = 60
integer value (Optional) Number of seconds a connection tomemcached is held unused in the pool before it isclosed.
memcache_secret_key = None
string value (Optional, mandatory if memcache_security_strategyis defined) This string is used for key derivation.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
24
memcache_security_strategy = None
string value (Optional) If defined, indicate whether token datashould be authenticated or authenticated andencrypted. If MAC, token data is authenticated (withHMAC) in the cache. If ENCRYPT, token data isencrypted and authenticated in the cache. If thevalue is not one of these options or empty,auth_token will raise an exception on initialization.
memcache_use_advanced_pool = False
boolean value (Optional) Use the advanced (eventlet safe)memcached client pool. The advanced pool will onlywork under python 2.x.
memcached_servers = None
list value Optionally specify a list of memcached server(s) touse for caching. If left undefined, tokens will insteadbe cached in-process.
region_name = None string value The region in which the identity server can be found.
service_token_roles = ['service']
list value A choice of roles that must be present in a servicetoken. Service tokens are allowed to request that anexpired token can be used and so this check shouldtightly control that only actual services should besending this token. Roles here are applied as an ANYcheck so any role in this list must be present. Forbackwards compatibility reasons this currently onlyaffects the allow_expired check.
service_token_roles_required = False
boolean value For backwards compatibility reasons we must letvalid service tokens pass that don’t pass theservice_token_roles check as valid. Setting this truewill become the default in a future release andshould be enabled if possible.
service_type = None string value The name or type of the service as it appears in theservice catalog. This is used to validate tokens thathave restricted access rules.
token_cache_time = 300 integer value In order to prevent excessive effort spent validatingtokens, the middleware caches previously-seentokens for a configurable duration (in seconds). Setto -1 to disable caching completely.
Configuration option =Default value
Type Description
CHAPTER 1. BARBICAN
25
www_authenticate_uri = None
string value Complete "public" Identity API endpoint. Thisendpoint should not be an "admin" endpoint, as itshould be accessible by all end users.Unauthenticated clients are redirected to thisendpoint to authenticate. Although this endpointshould ideally be unversioned, client support in thewild varies. If you’re using a versioned v2 endpointhere, then this should not be the same endpoint theservice user utilizes for validating tokens, becausenormal end users may not be able to reach thatendpoint.
Configuration option =Default value
Type Description
1.1.8. keystone_notifications
The following table outlines the options available under the [keystone_notifications] group in the /etc/barbican/barbican.conf file.
Table 1.7. keystone_notifications
Configuration option =Default value
Type Description
allow_requeue = False boolean value True enables requeue feature in case of notificationprocessing error. Enable this only when underlyingtransport supports this feature.
control_exchange = keystone
string value The default exchange under which topics are scoped.May be overridden by an exchange name specified inthe transport_url option.
enable = False boolean value True enables keystone notification listenerfunctionality.
thread_pool_size = 10 integer value Define the number of max threads to be used fornotification server processing functionality.
topic = notifications string value Keystone notification queue topic name. This nameneeds to match one of values mentioned in Keystonedeployment’s notification_topics configuration e.g.notification_topics=notifications,barbican_notificationsMultiple servers may listen ona topic and messages will be dispatched to one ofthe servers in a round-robin fashion. That’s whyBarbican service should have its own dedicatednotification queue so that it receives all of Keystonenotifications.
version = 1.0 string value Version of tasks invoked via notifications
Red Hat OpenStack Platform 16.1 Configuration Reference
26
1.1.9. kmip_plugin
The following table outlines the options available under the [kmip_plugin] group in the /etc/barbican/barbican.conf file.
Table 1.8. kmip_plugin
Configuration option =Default value
Type Description
ca_certs = None string value File path to concatenated "certification authority"certificates
certfile = None string value File path to local client certificate
host = localhost string value Address of the KMIP server
keyfile = None string value File path to local client certificate keyfile
password = None string value Password for authenticating with KMIP server
pkcs1_only = False boolean value Only support PKCS#1 encoding of asymmetric keys
plugin_name = KMIP HSM string value User friendly plugin name
port = 5696 port value Port for the KMIP server
ssl_version = PROTOCOL_TLSv1_2
string value SSL version, maps to the module ssl’s constants
username = None string value Username for authenticating with KMIP server
1.1.10. oslo_messaging_amqp
The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/barbican/barbican.conf file.
Table 1.9. oslo_messaging_amqp
Configuration option =Default value
Type Description
addressing_mode = dynamic
string value Indicates the addressing mode used by the driver.Permitted values: legacy - use legacy non-routableaddressing routable - use routable addressesdynamic - use legacy addresses if the message busdoes not support routing otherwise use routableaddressing
CHAPTER 1. BARBICAN
27
anycast_address = anycast
string value Appended to the address prefix when sending to agroup of consumers. Used by the message bus toidentify messages that should be delivered in around-robin fashion across consumers.
broadcast_prefix = broadcast
string value address prefix used when broadcasting to all servers
connection_retry_backoff = 2
integer value Increase the connection_retry_interval by this manyseconds after each unsuccessful failover attempt.
connection_retry_interval = 1
integer value Seconds to pause before attempting to re-connect.
connection_retry_interval_max = 30
integer value Maximum limit for connection_retry_interval +connection_retry_backoff
container_name = None string value Name for the AMQP container. must be globallyunique. Defaults to a generated UUID
default_notification_exchange = None
string value Exchange name used in notification addresses.Exchange name resolution precedence:Target.exchange if set elsedefault_notification_exchange if set elsecontrol_exchange if set else notify
default_notify_timeout = 30
integer value The deadline for a sent notification message delivery.Only used when caller does not provide a timeoutexpiry.
default_reply_retry = 0 integer value The maximum number of attempts to re-send a replymessage which failed due to a recoverable error.
default_reply_timeout = 30
integer value The deadline for an rpc reply message delivery.
default_rpc_exchange = None
string value Exchange name used in RPC addresses. Exchangename resolution precedence: Target.exchange if setelse default_rpc_exchange if set elsecontrol_exchange if set else rpc
default_send_timeout = 30
integer value The deadline for an rpc cast or call message delivery.Only used when caller does not provide a timeoutexpiry.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
28
default_sender_link_timeout = 600
integer value The duration to schedule a purge of idle sender links.Detach link after expiry.
group_request_prefix = unicast
string value address prefix when sending to any server in group
idle_timeout = 0 integer value Timeout for inactive connections (in seconds)
link_retry_delay = 10 integer value Time to pause between re-connecting an AMQP 1.0link that failed due to a recoverable error.
multicast_address = multicast
string value Appended to the address prefix when sending afanout message. Used by the message bus to identifyfanout messages.
notify_address_prefix = openstack.org/om/notify
string value Address prefix for all generated Notificationaddresses
notify_server_credit = 100 integer value Window size for incoming Notification messages
pre_settled = ['rpc-cast', 'rpc-reply']
multi valued Send messages of this type pre-settled. Pre-settledmessages will not receive acknowledgement from thepeer. Note well: pre-settled messages may be silentlydiscarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- sendRPC Replies pre-settled rpc-cast - Send RPC Castspre-settled notify - Send Notifications pre-settled
pseudo_vhost = True boolean value Enable virtual host support for those message busesthat do not natively support virtual hosting (such asqpidd). When set to true the virtual host name will beadded to all message bus addresses, effectivelycreating a private subnet per virtual host. Set to Falseif the message bus supports virtual hosting using thehostname field in the AMQP 1.0 Open performative asthe name of the virtual host.
reply_link_credit = 200 integer value Window size for incoming RPC Reply messages.
rpc_address_prefix = openstack.org/om/rpc
string value Address prefix for all generated RPC addresses
rpc_server_credit = 100 integer value Window size for incoming RPC Request messages
`sasl_config_dir = ` string value Path to directory that contains the SASLconfiguration
Configuration option =Default value
Type Description
CHAPTER 1. BARBICAN
29
`sasl_config_name = ` string value Name of configuration file (without .conf suffix)
`sasl_default_realm = ` string value SASL realm to use if no realm present in username
`sasl_mechanisms = ` string value Space separated list of acceptable SASLmechanisms
server_request_prefix = exclusive
string value address prefix used when sending to a specific server
ssl = False boolean value Attempt to connect via SSL. If no other ssl-relatedparameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = ` string value CA certificate PEM file used to verify the server’scertificate
`ssl_cert_file = ` string value Self-identifying certificate PEM file for clientauthentication
`ssl_key_file = ` string value Private key PEM file used to sign ssl_cert_filecertificate (optional)
ssl_key_password = None
string value Password for decrypting ssl_key_file (if encrypted)
ssl_verify_vhost = False boolean value By default SSL checks that the name in the server’scertificate matches the hostname in thetransport_url. In some configurations it may bepreferable to use the virtual hostname instead, forexample if the server uses the Server NameIndication TLS extension (rfc6066) to provide acertificate per virtual host. Set ssl_verify_vhost toTrue if the server’s SSL certificate uses the virtualhost name instead of the DNS name.
trace = False boolean value Debug: dump AMQP frames to stdout
unicast_address = unicast
string value Appended to the address prefix when sending to aparticular RPC/Notification server. Used by themessage bus to identify messages sent to a singledestination.
Configuration option =Default value
Type Description
1.1.11. oslo_messaging_kafka
The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/barbican/barbican.conf file.
Red Hat OpenStack Platform 16.1 Configuration Reference
30
Table 1.10. oslo_messaging_kafka
Configuration option =Default value
Type Description
compression_codec = none
string value The compression codec for all data generated by theproducer. If not set, compression will not be used.Note that the allowed values of this depend on thekafka version
conn_pool_min_size = 2 integer value (DEPRECATED FOR REMOVAL) The pool size limitfor connections expiration policy
conn_pool_ttl = 1200 integer value (DEPRECATED FOR REMOVAL) The time-to-livein sec of idle connections in the pool
consumer_group = oslo_messaging_consumer
string value Group id for Kafka consumer. Consumers in onegroup will coordinate message consumption
enable_auto_commit = False
boolean value Enable asynchronous consumer commits
kafka_consumer_timeout = 1.0
floating pointvalue
Default timeout(s) for Kafka consumers
kafka_max_fetch_bytes = 1048576
integer value Max fetch bytes of Kafka consumer
max_poll_records = 500 integer value The maximum number of records returned in a pollcall
pool_size = 10 integer value (DEPRECATED FOR REMOVAL) Pool Size forKafka Consumers
producer_batch_size = 16384
integer value Size of batch for the producer async send
producer_batch_timeout = 0.0
floating pointvalue
Upper bound on the delay for KafkaProducerbatching in seconds
sasl_mechanism = PLAIN string value Mechanism when security protocol is SASL
security_protocol = PLAINTEXT
string value Protocol used to communicate with brokers
`ssl_cafile = ` string value CA certificate PEM file used to verify the servercertificate
1.1.12. oslo_messaging_notifications
CHAPTER 1. BARBICAN
31
The following table outlines the options available under the [oslo_messaging_notifications] group inthe /etc/barbican/barbican.conf file.
Table 1.11. oslo_messaging_notifications
Configuration option =Default value
Type Description
driver = [] multi valued The Drivers(s) to handle sending notifications.Possible values are messaging, messagingv2, routing,log, test, noop
retry = -1 integer value The maximum number of attempts to re-send anotification message which failed to be delivered dueto a recoverable error. 0 - No retry, -1 - indefinite
topics = ['notifications'] list value AMQP topic used for OpenStack notifications.
transport_url = None string value A URL representing the messaging driver to use fornotifications. If not set, we fall back to the sameconfiguration used for RPC.
1.1.13. oslo_messaging_rabbit
The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/barbican/barbican.conf file.
Table 1.12. oslo_messaging_rabbit
Configuration option =Default value
Type Description
amqp_auto_delete = False boolean value Auto-delete queues in AMQP.
amqp_durable_queues = False
boolean value Use durable queues in AMQP.
direct_mandatory_flag = True
integer value Enable/Disable the RabbitMQ mandatory flag fordirect send. The direct send is used as reply,so theMessageUndeliverable exception is raised in case theclient queue does not exist.
heartbeat_in_pthread = False
boolean value EXPERIMENTAL: Run the health check heartbeatthreadthrough a native python thread. By default ifthisoption isn’t provided the health check heartbeatwillinherit the execution model from the parentprocess. Byexample if the parent process havemonkey patched thestdlib by using eventlet/greenletthen the heartbeatwill be run through a green thread.
Red Hat OpenStack Platform 16.1 Configuration Reference
32
heartbeat_rate = 2 integer value How often times during theheartbeat_timeout_threshold we check theheartbeat.
heartbeat_timeout_threshold = 60
integer value Number of seconds after which the Rabbit broker isconsidered down if heartbeat’s keep-alive fails (0disables heartbeat).
kombu_compression = None
string value EXPERIMENTAL: Possible values are: gzip, bz2. If notset compression will not be used. This option may notbe available in future versions.
kombu_failover_strategy = round-robin
string value Determines how the next RabbitMQ node is chosenin case the one we are currently connected tobecomes unavailable. Takes effect only if more thanone RabbitMQ node is provided in config.
kombu_missing_consumer_retry_timeout = 60
integer value How long to wait a missing client before abandoningto send it its replies. This value should not be longerthan rpc_response_timeout.
kombu_reconnect_delay = 1.0
floating pointvalue
How long to wait before reconnecting in response toan AMQP consumer cancel notification.
rabbit_ha_queues = False boolean value Try to use HA queues in RabbitMQ (x-ha-policy: all).If you change this option, you must wipe theRabbitMQ database. In RabbitMQ 3.0, queuemirroring is no longer controlled by the x-ha-policyargument when declaring a queue. If you just want tomake sure that all queues (except those with auto-generated names) are mirrored across all nodes, run:"rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode":"all"} "
rabbit_interval_max = 30 integer value Maximum interval of RabbitMQ connection retries.Default is 30 seconds.
rabbit_login_method = AMQPLAIN
string value The RabbitMQ login method.
rabbit_qos_prefetch_count = 0
integer value Specifies the number of messages to prefetch.Setting to zero allows unlimited messages.
rabbit_retry_backoff = 2 integer value How long to backoff for between retries whenconnecting to RabbitMQ.
Configuration option =Default value
Type Description
CHAPTER 1. BARBICAN
33
rabbit_retry_interval = 1 integer value How frequently to retry connecting with RabbitMQ.
rabbit_transient_queues_ttl = 1800
integer value Positive integer representing duration in seconds forqueue TTL (x-expires). Queues which are unused forthe duration of the TTL are automatically deleted.The parameter affects only reply and fanout queues.
ssl = False boolean value Connect over SSL.
`ssl_ca_file = ` string value SSL certification authority file (valid only if SSLenabled).
`ssl_cert_file = ` string value SSL cert file (valid only if SSL enabled).
`ssl_key_file = ` string value SSL key file (valid only if SSL enabled).
`ssl_version = ` string value SSL version to use (valid only if SSL enabled). Validvalues are TLSv1 and SSLv23. SSLv2, SSLv3,TLSv1_1, and TLSv1_2 may be available on somedistributions.
Configuration option =Default value
Type Description
1.1.14. oslo_middleware
The following table outlines the options available under the [oslo_middleware] group in the /etc/barbican/barbican.conf file.
Table 1.13. oslo_middleware
Configuration option =Default value
Type Description
enable_proxy_headers_parsing = False
boolean value Whether the application is behind a proxy or not. Thisdetermines if the middleware should parse theheaders or not.
1.1.15. oslo_policy
The following table outlines the options available under the [oslo_policy] group in the /etc/barbican/barbican.conf file.
Table 1.14. oslo_policy
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
34
enforce_scope = False boolean value This option controls whether or not to enforce scopewhen evaluating policies. If True, the scope of thetoken used in the request is compared to the scope_types of the policy being enforced. If thescopes do not match, an InvalidScope exceptionwill be raised. If False, a message will be loggedinforming operators that policies are being invokedwith mismatching scope.
policy_default_rule = default
string value Default rule. Enforced when a requested rule is notfound.
policy_dirs = ['policy.d'] multi valued Directories where policy configuration files arestored. They can be relative to any directory in thesearch path defined by the config_dir option, orabsolute paths. The file defined by policy_file mustexist for these directories to be searched. Missing orempty directories are ignored.
policy_file = policy.json string value The relative or absolute path of a file that maps rolesto permissions for a given service. Relative pathsmust be specified in relation to the configuration filesetting this option.
remote_content_type = application/x-www-form-urlencoded
string value Content Type to send and receive data for RESTbased policy check
remote_ssl_ca_crt_file = None
string value Absolute path to ca cert file for REST based policycheck
remote_ssl_client_crt_file = None
string value Absolute path to client cert for REST based policycheck
remote_ssl_client_key_file = None
string value Absolute path client key file REST based policy check
remote_ssl_verify_server_crt = False
boolean value server identity verification for REST based policycheck
Configuration option =Default value
Type Description
1.1.16. p11_crypto_plugin
The following table outlines the options available under the [p11_crypto_plugin] group in the /etc/barbican/barbican.conf file.
Table 1.15. p11_crypto_plugin
CHAPTER 1. BARBICAN
35
Configuration option =Default value
Type Description
aes_gcm_generate_iv = True
boolean value Generate IVs for CKM_AES_GCM mechanism.
always_set_cka_sensitive = True
boolean value Always set CKA_SENSITIVE=CK_TRUE includingCKA_EXTRACTABLE=CK_TRUE keys.
encryption_mechanism = CKM_AES_CBC
string value Secret encryption mechanism
hmac_key_type = CKK_AES
string value HMAC Key Type
hmac_keygen_mechanism = CKM_AES_KEY_GEN
string value HMAC Key Generation Algorithm
hmac_keywrap_mechanism = CKM_SHA256_HMAC
string value HMAC key wrap mechanism
hmac_label = None string value Master HMAC Key label (as stored in the HSM)
library_path = None string value Path to vendor PKCS11 library
login = None string value Password to login to PKCS11 session
mkek_label = None string value Master KEK label (as stored in the HSM)
mkek_length = None integer value Master KEK length in bytes.
pkek_cache_limit = 100 integer value Project KEK Cache Item Limit
pkek_cache_ttl = 900 integer value Project KEK Cache Time To Live, in seconds
pkek_length = 32 integer value Project KEK length in bytes.
plugin_name = PKCS11 HSM
string value User friendly plugin name
rw_session = True boolean value Flag for Read/Write Sessions
`seed_file = ` string value File to pull entropy for seeding RNG
seed_length = 32 integer value Amount of data to read from file for seed
slot_id = 1 integer value (Optional) HSM Slot ID that contains the tokendevice to be used.
Red Hat OpenStack Platform 16.1 Configuration Reference
36
token_label = None string value Token label used to identify the token to be used.Required when token_serial_number is not specified.
token_serial_number = None
string value Token serial number used to identify the token to beused. Required when the device has multiple tokenswith the same label.
Configuration option =Default value
Type Description
1.1.17. queue
The following table outlines the options available under the [queue] group in the /etc/barbican/barbican.conf file.
Table 1.16. queue
Configuration option =Default value
Type Description
asynchronous_workers = 1
integer value Number of asynchronous worker processes
enable = False boolean value True enables queuing, False invokes workerssynchronously
namespace = barbican string value Queue namespace
server_name = barbican.queue
string value Server name for RPC task processing server
topic = barbican.workers string value Queue topic name
version = 1.1 string value Version of tasks invoked via queue
1.1.18. quotas
The following table outlines the options available under the [quotas] group in the /etc/barbican/barbican.conf file.
Table 1.17. quotas
Configuration option =Default value
Type Description
quota_cas = -1 integer value Number of CAs allowed per project
quota_consumers = -1 integer value Number of consumers allowed per project
CHAPTER 1. BARBICAN
37
quota_containers = -1 integer value Number of containers allowed per project
quota_orders = -1 integer value Number of orders allowed per project
quota_secrets = -1 integer value Number of secrets allowed per project
Configuration option =Default value
Type Description
1.1.19. retry_scheduler
The following table outlines the options available under the [retry_scheduler] group in the /etc/barbican/barbican.conf file.
Table 1.18. retry_scheduler
Configuration option =Default value
Type Description
initial_delay_seconds = 10.0
floating pointvalue
Seconds (float) to wait before starting retryscheduler
periodic_interval_max_seconds = 10.0
floating pointvalue
Seconds (float) to wait between periodic scheduleevents
1.1.20. secretstore
The following table outlines the options available under the [secretstore] group in the /etc/barbican/barbican.conf file.
Table 1.19. secretstore
Configuration option =Default value
Type Description
enable_multiple_secret_stores = False
boolean value Flag to enable multiple secret store plugin backendsupport. Default is False
enabled_secretstore_plugins = ['store_crypto']
multi valued List of secret store plugins to load.
namespace = barbican.secretstore.plugin
string value Extension namespace to search for plugins.
stores_lookup_suffix = None
list value List of suffix to use for looking up plugins which aresupported with multiple backend support.
Red Hat OpenStack Platform 16.1 Configuration Reference
38
1.1.21. simple_crypto_plugin
The following table outlines the options available under the [simple_crypto_plugin] group in the /etc/barbican/barbican.conf file.
Table 1.20. simple_crypto_plugin
Configuration option =Default value
Type Description
kek = dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=
string value Key encryption key to be used by Simple CryptoPlugin
plugin_name = Software Only Crypto
string value User friendly plugin name
1.1.22. snakeoil_ca_plugin
The following table outlines the options available under the [snakeoil_ca_plugin] group in the /etc/barbican/barbican.conf file.
Table 1.21. snakeoil_ca_plugin
Configuration option =Default value
Type Description
ca_cert_chain_path = None
string value Path to CA certificate chain file
ca_cert_key_path = None string value Path to CA certificate key file
ca_cert_path = None string value Path to CA certificate file
ca_cert_pkcs7_path = None
string value Path to CA chain pkcs7 file
subca_cert_key_directory = /etc/barbican/snakeoil-cas
string value Directory in which to store certs/keys for subcas
1.1.23. ssl
The following table outlines the options available under the [ssl] group in the /etc/barbican/barbican.conf file.
Table 1.22. ssl
CHAPTER 1. BARBICAN
39
Configuration option =Default value
Type Description
ca_file = None string value CA certificate file to use to verify connecting clients.
cert_file = None string value Certificate file to use when starting the serversecurely.
ciphers = None string value Sets the list of available ciphers. value should be astring in the OpenSSL cipher list format.
key_file = None string value Private key file to use when starting the serversecurely.
version = None string value SSL version to use (valid only if SSL enabled). Validvalues are TLSv1 and SSLv23. SSLv2, SSLv3,TLSv1_1, and TLSv1_2 may be available on somedistributions.
Red Hat OpenStack Platform 16.1 Configuration Reference
40
CHAPTER 2. CINDERThe following chapter contains information about the configuration options in the cinder service.
2.1. CINDER.CONF
This section contains options for the /etc/cinder/cinder.conf file.
2.1.1. DEFAULT
The following table outlines the options available under the [DEFAULT] group in the /etc/cinder/cinder.conf file.
.
Configuration option =Default value
Type Description
allocated_capacity_weight_multiplier = -1.0
floating pointvalue
Multiplier used for weighing allocated capacity.Positive numbers mean to stack vs spread.
allow_availability_zone_fallback = False
boolean value If the requested Cinder availability zone isunavailable, fall back to the value ofdefault_availability_zone, thenstorage_availability_zone, instead of failing.
allow_compression_on_image_upload = False
boolean value The strategy to use for image compression onupload. Default is disallow compression.
allowed_direct_url_schemes = []
list value A list of url schemes that can be downloaded directlyvia the direct_url. Currently supported schemes: [file,cinder].
api_paste_config = api-paste.ini
string value File name for the paste.deploy config for api service
api_rate_limit = True boolean value Enables or disables rate limit of the API.
as13000_ipsan_pools = ['Pool0']
list value The Storage Pools Cinder should use, a commaseparated list.
as13000_meta_pool = None
string value The pool which is used as a meta pool when creatinga volume, and it should be a replication pool atpresent. If not set, the driver will choose a replicationpool from the value of as13000_ipsan_pools.
as13000_token_available_time = 3300
integer value The effective time of token validity in seconds.
CHAPTER 2. CINDER
41
auth_strategy = keystone string value The strategy to use for auth. Supports noauth orkeystone.
az_cache_duration = 3600 integer value Cache volume availability zones in memory for theprovided duration in seconds
backdoor_port = None string value Enable eventlet backdoor. Acceptable values are 0,, and :, where 0 results in listeningon a random tcp port number; results inlistening on the specified port number (and notenabling backdoor if that port is in use); and : results in listening on the smallest unused portnumber within the specified range of port numbers.The chosen port is displayed in the service’s log file.
backdoor_socket = None string value Enable eventlet backdoor, using the provided path asa unix socket that can receive connections. Thisoption is mutually exclusive with backdoor_port inthat only one should be provided. If both areprovided then the existence of this option overridesthe usage of that option. Inside the path {pid} will bereplaced with the PID of the current process.
backend_availability_zone = None
string value Availability zone for this volume backend. If not set,the storage_availability_zone option value is used asthe default for all backends.
backend_stats_polling_interval = 60
integer value Time in seconds between requests for usagestatistics from the backend. Be aware thatgenerating usage statistics is expensive for somebackends, so setting this value too low may adverselyaffect performance.
backup_api_class = cinder.backup.api.API
string value The full class name of the volume backup API class
backup_ceph_chunk_size = 134217728
integer value The chunk size, in bytes, that a backup is broken intobefore transfer to the Ceph object store.
backup_ceph_conf = /etc/ceph/ceph.conf
string value Ceph configuration file to use.
backup_ceph_image_journals = False
boolean value If True, apply JOURNALING and EXCLUSIVE_LOCKfeature bits to the backup RBD objects to allowmirroring
backup_ceph_pool = backups
string value The Ceph pool where volume backups are stored.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
42
backup_ceph_stripe_count = 0
integer value RBD stripe count to use when creating a backupimage.
backup_ceph_stripe_unit = 0
integer value RBD stripe unit to use when creating a backup image.
backup_ceph_user = cinder
string value The Ceph user to connect with. Default here is to usethe same user as for Cinder volumes. If not usingcephx this should be set to None.
backup_compression_algorithm = zlib
string value Compression algorithm ("none" to disable)
backup_container = None string value Custom directory to use for backups.
backup_driver = cinder.backup.drivers.swift.SwiftBackupDriver
string value Driver to use for backups.
backup_driver_init_check_interval = 60
integer value Time in seconds between checks to see if the backupdriver has been successfully initialized, any time thedriver is restarted.
backup_driver_status_check_interval = 60
integer value Time in seconds between checks of the backup driverstatus. If does not report as working, it is restarted.
backup_enable_progress_timer = True
boolean value Enable or Disable the timer to send the periodicprogress notifications to Ceilometer when backingup the volume to the backend storage. The defaultvalue is True to enable the timer.
backup_file_size = 1999994880
integer value The maximum size in bytes of the files used to holdbackups. If the volume being backed up exceeds thissize, then it will be backed up into multiplefiles.backup_file_size must be a multiple ofbackup_sha_block_size_bytes.
backup_gcs_block_size = 32768
integer value The size in bytes that changes are tracked forincremental backups. backup_gcs_object_size has tobe multiple of backup_gcs_block_size.
backup_gcs_bucket = None
string value The GCS bucket to use.
backup_gcs_bucket_location = US
string value Location of GCS bucket.
Configuration option =Default value
Type Description
CHAPTER 2. CINDER
43
backup_gcs_credential_file = None
string value Absolute path of GCS service account credential file.
backup_gcs_enable_progress_timer = True
boolean value Enable or Disable the timer to send the periodicprogress notifications to Ceilometer when backingup the volume to the GCS backend storage. Thedefault value is True to enable the timer.
backup_gcs_num_retries = 3
integer value Number of times to retry.
backup_gcs_object_size = 52428800
integer value The size in bytes of GCS backup objects.
backup_gcs_project_id = None
string value Owner project id for GCS bucket.
backup_gcs_proxy_url = None
uri value URL for http proxy access.
backup_gcs_reader_chunk_size = 2097152
integer value GCS object will be downloaded in chunks of bytes.
backup_gcs_retry_error_codes = ['429']
list value List of GCS error codes.
backup_gcs_storage_class = NEARLINE
string value Storage class of GCS bucket.
backup_gcs_user_agent = gcscinder
string value Http user-agent string for gcs api.
backup_gcs_writer_chunk_size = 2097152
integer value GCS object will be uploaded in chunks of bytes. Passin a value of -1 if the file is to be uploaded as a singlechunk.
backup_manager = cinder.backup.manager.BackupManager
string value Full class name for the Manager for volume backup
backup_metadata_version = 2
integer value Backup metadata version to be used when backingup volume metadata. If this number is bumped, makesure the service doing the restore supports the newversion.
backup_mount_attempts = 3
integer value The number of attempts to mount NFS shares beforeraising an error.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
44
backup_mount_options = None
string value Mount options passed to the NFS client. See NFSman page for details.
backup_mount_point_base = $state_path/backup_mount
string value Base dir containing mount point for NFS share.
backup_name_template = backup-%s
string value Template string to be used to generate backupnames
backup_native_threads_pool_size = 60
integer value Size of the native threads pool for the backups. Mostbackup drivers rely heavily on this, it can bedecreased for specific drivers that don’t.
backup_object_number_per_notification = 10
integer value The number of chunks or objects, for which oneCeilometer notification will be sent
backup_posix_path = $state_path/backup
string value Path specifying where to store backups.
backup_service_inithost_offload = True
boolean value Offload pending backup delete during backupservice startup. If false, the backup service willremain down until all pending backups are deleted.
backup_sha_block_size_bytes = 32768
integer value The size in bytes that changes are tracked forincremental backups. backup_file_size has to bemultiple of backup_sha_block_size_bytes.
backup_share = None string value NFS share in hostname:path, ipv4addr:path, or "[ipv6addr]:path" format.
backup_swift_auth = per_user
string value Swift authentication mechanism (per_user orsingle_user).
backup_swift_auth_insecure = False
boolean value Bypass verification of server certificate when makingSSL connection to Swift.
backup_swift_auth_url = None
uri value The URL of the Keystone endpoint
backup_swift_auth_version = 1
string value Swift authentication version. Specify "1" for auth 1.0,or "2" for auth 2.0 or "3" for auth 3.0
backup_swift_block_size = 32768
integer value The size in bytes that changes are tracked forincremental backups. backup_swift_object_size hasto be multiple of backup_swift_block_size.
Configuration option =Default value
Type Description
CHAPTER 2. CINDER
45
backup_swift_ca_cert_file = None
string value Location of the CA certificate file to use for swiftclient requests.
backup_swift_container = volumebackups
string value The default Swift container to use
backup_swift_enable_progress_timer = True
boolean value Enable or Disable the timer to send the periodicprogress notifications to Ceilometer when backingup the volume to the Swift backend storage. Thedefault value is True to enable the timer.
backup_swift_key = None string value Swift key for authentication
backup_swift_object_size = 52428800
integer value The size in bytes of Swift backup objects
backup_swift_project = None
string value Swift project/account name. Required whenconnecting to an auth 3.0 system
backup_swift_project_domain = None
string value Swift project domain name. Required whenconnecting to an auth 3.0 system
backup_swift_retry_attempts = 3
integer value The number of retries to make for Swift operations
backup_swift_retry_backoff = 2
integer value The backoff time in seconds between Swift retries
backup_swift_tenant = None
string value Swift tenant/account name. Required whenconnecting to an auth 2.0 system
backup_swift_url = None uri value The URL of the Swift endpoint
backup_swift_user = None
string value Swift user name
backup_swift_user_domain = None
string value Swift user domain name. Required when connectingto an auth 3.0 system
backup_timer_interval = 120
integer value Interval, in seconds, between two progressnotifications reporting the backup status
backup_tsm_compression = True
boolean value Enable or Disable compression for backups
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
46
backup_tsm_password = password
string value TSM password for the running username
backup_tsm_volume_prefix = backup
string value Volume prefix for the backup id when backing up toTSM
backup_use_same_host = False
boolean value Backup services use same backend.
backup_use_temp_snapshot = False
boolean value If this is set to True, a temporary snapshot will becreated for performing non-disruptive backups.Otherwise a temporary volume will be cloned in orderto perform a backup.
backup_workers = 1 integer value Number of backup processes to launch. Improvesperformance with concurrent backups.
capacity_weight_multiplier = 1.0
floating pointvalue
Multiplier used for weighing free capacity. Negativenumbers mean to stack vs spread.
`chap_password = ` string value Password for specified CHAP account name.
`chap_username = ` string value CHAP user name.
chiscsi_conf = /etc/chelsio-iscsi/chiscsi.conf
string value Chiscsi (CXT) global defaults configuration file
cinder_internal_tenant_project_id = None
string value ID of the project which will be used as the Cinderinternal tenant.
cinder_internal_tenant_user_id = None
string value ID of the user to be used in volume operations as theCinder internal tenant.
client_socket_timeout = 900
integer value Timeout for client connections' socket operations. Ifan incoming connection is idle for this number ofseconds it will be closed. A value of 0 means waitforever.
clone_volume_timeout = 680
integer value (DEPRECATED FOR REMOVAL) Create clonevolume timeout
cloned_volume_same_az = True
boolean value Ensure that the new volumes are the same AZ assnapshot or source volume
Configuration option =Default value
Type Description
CHAPTER 2. CINDER
47
cluster = None string value Name of this cluster. Used to group volume hoststhat share the same backend configurations to workin HA Active-Active mode. Active-Active is not yetsupported.
compression_format = gzip
string value Image compression format on image upload
compute_api_class = cinder.compute.nova.API
string value The full class name of the compute API class to use
config-dir = ['~/.project/project.conf.d/', '~/project.conf.d/', '/etc/project/project.conf.d/', '/etc/project.conf.d/']
list value Path to a config directory to pull *.conf files from.This file set is sorted, so as to provide a predictableparse order if individual options are over-ridden. Theset is parsed after the file(s) specified via previous --config-file, arguments hence over-ridden options inthe directory take precedence. This option must beset from the command-line.
config-file = ['~/.project/project.conf', '~/project.conf', '/etc/project/project.conf', '/etc/project.conf']
unknown value Path to a config file to use. Multiple config files canbe specified, with values in later files takingprecedence. Defaults to %(default)s. This optionmust be set from the command-line.
config_source = [] list value Lists configuration groups that provide more detailsfor accessing configuration settings from locationsother than local files.
conn_pool_min_size = 2 integer value The pool size limit for connections expiration policy
conn_pool_ttl = 1200 integer value The time-to-live in sec of idle connections in the pool
consistencygroup_api_class = cinder.consistencygroup.api.API
string value The full class name of the consistencygroup API class
control_exchange = openstack
string value The default exchange under which topics are scoped.May be overridden by an exchange name specified inthe transport_url option.
datera_503_interval = 5 integer value Interval between 503 retries
datera_503_timeout = 120 integer value Timeout for HTTP 503 retry messages
datera_api_port = 7717 string value (DEPRECATED FOR REMOVAL) Datera API port.
Configuration option =Default value
Type Description
Red Hat OpenStack Platform 16.1 Configuration Reference
48
datera_api_version = 2.2 string value (DEPRECATED FOR REMOVAL) Datera APIversion.
datera_debug = False boolean value True to set function arg and return logging
datera_debug_replica_count_override = False
boolean value ONLY FOR DEBUG/TESTING PURPOSES True toset replica_count to 1
datera_disable_extended_metadata = False
boolean value Set to True to disable sending additional metadata tothe Datera backend
datera_disable_profiler = False
boolean value Set to True to disable profiling in the Datera driver
datera_disable_template_override = False
boolean value Set to True to disable automatic template overrideof the size attribute when creating from a template
datera_enable_image_cache = False
boolean value Set to True to enable Datera backend image caching
datera_image_cache_volume_type_id = None
string value Cinder volume type id to use for cached volumes
datera_ldap_server = None
string value LDAP authentication server
datera_tenant_id = None string value If set to Map -→ OpenStack proj